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ta re Applicator) ff<sr ^W^roaolIilddeRRbl4 HI of the 
Feto^lffidJles of Criminal Procedure to Disrupt the 
Keliios Botnett 


Case No.. 3:11 gking-O®^^ 


AffLiC&SOSn FOR A SEARCH W&BSK&VNT 

I? § fefesflhliw or an attocn^f&rrtltfe^^ a •aArier 

g§Ml$y @fp^5ii4^ r tthif I hiv# rea^si tto itet it ha t) kd pens o n or prop©% tidm^hteipimn &r dmfiwihe 

property' to be seardheti and gme its location): 

§©# AttaehrtfitentA\, i inixnfpDjialdd here by referawee. 
locataii in the _ ©iSteat ©f Alaska 


person or demnibe the property ; to be seized)}; 

§©<© AttadM5tentH},iii^^ here by referents©. 

ffef basis ifertffeesS&ar&hidddeF(KfccR .IClCniifL P. 4Il((c)) is (checkwnmr wmb}\ 
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, theirs iisiiio¥.c(p(®ieey^d (identify tite 


Code Smrnmi Qfljfetise Gasconjpt ion 

18 USC §§ 1030., 1343, arodi fjr§M$ Filitetl aefivity in (XWMasatttori with coring j||gg^| 

2511B.. wiretaipijniirr^. 


The application is ba$^cmitli®s§tffat 3 ;s: 

§©© ©iicflM Affifiteivittin Support! of Seardh Warrant. 

^ Coratiiuoiteti on the attacked 
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IN THE UNMME) STATES D1KIMIQT0EMRHT 
FOE THE DISTOmr OF ALASKA 


in re APinmcAHHON for a 

WARRM^llMDEEFRIOEB MIUBTEHE 
FEflMHML RULES OF CRIMOT TOftU , 

PROCffimuffi: to disrtdmt the 

KEUEEGBS BOTMOT 


Case No. 3:lSHnmj}4®EH214I0ffiS 


AFFlDBAWir IN SUHRMER OF AN 
APHLttCAimQm UNDER RULE 41 FOR A SEARCH 

WARRANT 

I, Elfettt Peteserap, being firstt duty sworn, heteby dep<a§© and state as follows: 

ICHirOM AND AGENT BMIKCaSgWilSIP 




1. I am a Spariidl Agenlt with the Fedetell Bureau of Investtjjgataon in 
Anchcmag^ ALAakka. I cunraartijy investigate criminal and natliamdl seeumiyyceimpptetor 
inteissanros in the AncfossBEqqgeIFaM(D€fffiee as a memliaar of the Counter Intelligence// 
Cyber Squtati. I hare inv<tefgpMdd cyber and computer intamtnn matters for over 
five years and I spsrirdlize in the invest jgL&tinn of complex Bsattteitsiridddidgig Peer to 
Peer botatafcs, as well as botaatfes fadliiMtriiggiiaoaunlnt tafeaavear fraudl and Distttifiutedd 
DenMl Of Serxike attedfes (DDOS). 

2. I mafee tMs affidavit in suppsirtt of an apgdiicatdxorfifoa a warrant under 
Fedtedl Rule of Criminal PrajeoflireeMlcto autfthnizee an onlineagsrafation to disragtt 
the Kehfeffi botnett cuntertt^y under the contnodl of Peter Yui^^idhllffiV^HfWjaa 
crimiirail haaftaar. The operflicaan, whikfln is pairttonllistyy diseBtftftdi in Attedifftignt A 
and Attadhnontt B, innstcdkoffis the disteHMtidnn of updated peer listts, job 
amdWar IP filteirllsti^, furtfltear de$tmriite£d in Attaaftmentt B, to the TARGET 
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COMF’iDJnHHSS cunrartljy infatedd witfla the KeMcos botmett maflwKHEe in violatixm of 
Tiltflae 18, United States Code, Secteimss 103®,, IMS, and 25IL11, as dessnriifodd in 
Attadbrnamit A. This operation will ala® obtain the Intemelt Protocol addressees and 
asaaiitafeeld routing infoiraattoon of tkasss inlfentegtl compmttars, and tinara© addresses are 
evidence of crirtoeE coimnittttedd by LEVASEEW .JA PRTT order has been issued for the 
pumjpKffie of attaining tUnaas© IP adkfinessees and assfidiafedd routing infommaitoon. Tins 
operation willl not captame content from the TARGET COMFEOTKSS or modify tteaa 
in any other capacity except limiitlihgg the TARGET COMPUHffiffiS' ability to interact 
with the KeHhos botntet. This hmifca taxon is achiteodi thnongfh the disfflittmifcinn of peer 


lists andjgxbb messages, deamriteeld below.. 

3. UnftesB otfiaaiwisee noted, the following infonmtefekin was obtained! by 
your affiaitt, other spsriMl agantfes and officers of the Fedetall Bureau: of Isttwsatjg&itiQn 
(FBI), thtofl-party witmeesB inttewi@w$s, amaMair from other law enJfMsamattit officer* 
who condwiOteld addiMitnail inwfdtjgaitiDn intern the smfajjsdt matter of tM« crimimdl 
enterprise, all of whom I bdfe\ee to be trwtdffill and neflndble.. 

TECHWHOhl., IPKfflmiTClNSS 


4. As used hensain, the following teraree haw® the following meanings: 


a, “MaDwarcS” is mall in bass softwnare, u$ondl(y loaded onto a computer 
witflnaartt the knomlM|ge of the compmtbaris’s owner or user. For 
examplie, computer virmrsess are maflmsaEe. 


b. A “bottretet” is a nettwsnlk of computers that cybeiranrinimnlal s haw® 
infected with malteare that give® a cyber criraniiTdl access to eadb 
computer and afflams a cyber crimindl to contend eadb eoiipKlarj- 
reiraittjy. 
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Case No. 3:18-mj-00324-DM$ 


c. An InteimHt PnotecadUlH?.) addnasss is the globailiy unik^iBe addnssss 
of a computer or other device connected to a netKwofk. and is 
used to route Internist commmmbaaitnnBs to and from the 
computer or other device. 

d. "Peer to peat*'’ refers to a meaumss of neflwoatiiugg computers such 
that they commaoiitsate directly with each othar, ra tter thanm 
thnauglh a centoadiiedd maim^pmeteit pointt. 

PKOR4MHT IF, (f M I TSK 

5. These is prohdilbe cause to befanee that the TARGOT COMMJIIHMSS 
idemtffeekd in Atfcarihmsnt A are inflected by malliniaus software that causes th®m to 
colIediKteJy ratewee and obey commands from aa comimsm command and contnodl 
infrarntnuoim-e contodlfedd by LEVASHOV, forming a botmett that has been naramfl 
“Kefflnss"” 

6. I hare detemiuadd that Keffiflnss is a Peer to Peer bottet, whose 
priinafp&l fimatfbmas are to (1) distribute high volummss of sparam emadl to fuiKftmr 
criimmdl schemes?; (2) instfcdll mdlioimss paylhacB?, such as ramsDnwaace; and (3) 
hamxsstt user credtairtihls from infected computers. Each of these schemes are 
conducted for the finorraibkl beneffitt ofTLIBA^SHOV and other cybettosmiAnbls. 

7. Based upon the investiggaitinn desasttedd befew„n befe^ee that Kelites is 
operated and contadlfcdd by an iiafciiduiil identtfftdd as Peter Yur^tecth LEVASHOV,, 
ah. a. "Petr LEVASHOVT’ “Peter SevenaaT “Petr Severn','” and “Sergey Astt^ftte<y\".”II 
am awaros that on or about April 7, 2011 LEVASHOV was anrtgdtefcl in Spawn and 

remaims detearted in Spaiin. 1 On April 20, Wfiffl the Distrixtt of Conmeribnit un^dted 

_ v i 

I am also awanoe that an mdtetira@rttwas,s filed in 2001 in the Eastern Diitsifetof 
Michigan for conspiracy to commit (dlsaiirniitcimalIfffiadd}Mdifr&i^d|itchd/icir^'ifti^ud in 
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mm 


an indfetareartt changing LEVASBKW in 3:17GK$$ with offenses rdlafedd to the 
activities deserifed in tMs affidavit. II haw© als© detenminadd that the botnet has 
been used for the finamcda&l bematfit oflUH\M5HfW and other cy beruatimihafels. 

8. In Febrnamy 2018, IULWA&lMQWcentered US custody in New Havemi, 
Conmmirfbtilit. 


0. I have als® detenminedd that in addition to dastiibnnHih^ spam email, the 
Kelih®s botmet fuwtinms to hairi est user cnedentMis, and distmihfite mdlidinus 
payllwali?, ineladlrng ramsmnvmre, as well as faeilliittabigg other schemas? meant to 
enfttdh LBVASISSW. These acti'xiiieeswvlill be destaridsdd more fu% 7 in subsequent 
pan^gnfjihs. 


10, Ba§ed on my investigattiism to date, I have obseimsil that the* nuui®Jber of 
compafltess infected with Kelifflrass at any one time can vary. At times, ©v^ll®IX®60 
computers haw 7 e been simniltaBeoal^ly infected worldwide with Kelihos. When the 
initial warrant in this case was issued, then® were betwsan 25.000) and 100,00®) 
infested computer^, approximatfeely 5-10% of which were computers located in the 
United States. Based on my noaveesw of compmteBs whidh are infected with thi 


violatfbm of 18 UJSJC. §§ 371, tL«&j)©)%)(3), 10^Ch)(2)(C), 134L, and 1343 and mvwH 
stabstettlvee counts of violating ISHLSCC. §§ 1037(a)(2), 1031(h)X^)(C), and Seetawi 2, That 
Iflkjfiisttnwnt remains pending'. I am als® await® that a criminal complaint filed in the LLS-. 
Bistffiigt Court for the Distmbit of Columbia,, whkfti in 2009 changpstl LEVASHOV in his t*<4fe 
name with two sutestemrive counts; ofviolattiig? 18 UJ&C. §§ 1030(aMS)(A)(i), 1030(a)(S)(i)(i), 
1030(a)(5)(A)(ij) and 1030(a)(5)XB)(V), as wdDl as one count of eon^prasgy to commit 
offense® in violation of 18 U.S..<C. § 371. These changes resulted! team EJEVASHQV'i 
operating the Storm Botnett from Jianua$y 2001 untill Septentisarr 22,200&. That betndfc,1ifee 
that which is the suBpartt of tMs pnassstmtoon, sent spam to fedJilBMe pump and dump 
schaness and the purcdhuse of grey marfeastt phaurnaaeetitidals. Because the govemmfartt 
Uffis&fe to appteteaald and detain LEVASHOV, it disnraissgdd the complaint in 2014, 
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KeMhos maflw;are and conversaimciHs with other FBI agemtos and computer seeumfyy 
FigSgattfltfFs who haw inw&Higateil the code used to create the KeliUtcagtbrttasfetJI 
k®W r that it can be difficult ffar computer usenss to detect Kelfflrooe i rrf&tfejoasKKla'ltehos 
i§ dtgijpted to persist on a wiifltiifKS computer despite any overt aettiisms by the victrawi 
t® it.- For exampite, the first tiunD® that Keliftmas mum®, it sets its prepstfcy 

§#teH|g t® “invisible" so that it camnott be seem or manriipdMtdd by the vietwfe. Bastd 
Oft ffly ifi^^tgpilofln and the invest ggation of others,II have foundititosee of 
eofflptflte^s infested with Keilfese thnau^imut the United States, ineHurflngg the 

of Alaska* District of Conmsrrfmtt, Westean Distmctft ofWa^hh^en, Cifltell 
Bigttkt of Califeariia and the Soutfltem Distraint of New York, and the Nortlteth 
Distmhtt of CaEffiaamiaa. 

A. OPEmUim OF THE KEXJBHSBffiXTNfHT 

U- As d#§^lfeddahbo®,el<h3®MiK)istUitz&fe Peer to Peer (P2P) conneetidtty. 
Iflgtiid of uttiiaii|g a trsaafliibna&l Command! and ConttKt)l((C2) setv^r t© eonteoil^Ul of 
the b@te,,(fi$Htfoi>l if difttffihutdd acnms the entnnaB infecttiisni basfe. Thi P2P dts&gli 
pr^Vtfaxts law enforcement from mm% tafeiiiig over the C2 server and gaintotg 
inMaatfetfee contrcdl of the entnuoe botntet. 

\%: K^iite^iidfeots computers and diviktos them into twepoujps: "router 

8®d£$ r and "worker nodes!” Router nodes are so named! basafi upon thewr aMh%tfp 
F®®te eommiUiitCftiteiQKis dimdfl^tbo both badkmdl senvsnss as well as other iffilfeitetl 
p&grs- Router nodes are KeliflnBEiirffecitooas that have puMidty&®$§§y}ble IP 
flddte^s. Routes’ nodes are important to KdiDtas? as they pormft dis^Qtt 
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Case No. 3: ll^miH5®32-«})MS 

commtmriiteutann to the imtfeoteld computer. Roulsar nodes aamipisse apuprojiimMbJy 
10% of the Keliflkns botnect. 

13. In contract, worker nodes compriiee 90% of the KeUhns botnaat, and 
utiJlme private IP addressees. Most intermit enafldbail devices utiiliae private IP 
addnsssees, as thay are sepam;flteld from the Intermit by one or more netiswniliigg 
devotees. For exainpite. in manny UJS. hom®li®ddds^dAWFFi router is conneatetl dibiefflltjy 
to a caWfee or DSL modem. This Wi-Fri router wouM them be ategredd the 
hooiHsltoM&'s public IP addbesss. Each devise them connaaotteld to the Wi-Fn router 
wouM be assjgrestl a prbtetee IP addnesss. Worker nodes are harter to maiumtam for 
the botnett operator, as they are not diraaattjy aceesaibbe like a router node with a 
public IP addtassss wouM be. 

14. To counteract the difficultly of content h|g workar nodes with private IP 
addneesses, KeKhcs commanriis its workar nodes to check in regtribai^v with the router 
nodes. That "check in” tefees the form of exchanging peer lists and job messages. 

Peer lists maimttain the IP addnsessses of other Keliilhosi Mfetitinms, thatt is, an ioJfefltetl 
computteiss peers. This infonmatdxnn informs each peer wh® else it can communibaMe 
with. Than, wham a set amount! of time has pasitej, the worker node will content 
anotitear router node to exchangpe date, indadlrng each othecfe peer lists. In response, 
the workar node tham compams its own peer list with the mtetestlppeer list, and 
updates its own peer list with new IP addnsssees unttiil it raadtes a maMurumi 
numlfear of 3,000. 

m 30^ 
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1< Overtfew Of Kefiftns&s Spann Distimihitidon 

15. B assail upon my tKairirrjg and exp©BB®neeJ I knrasw that spaim email 
messs^gss disteiliutted by botnets such as Keffinss are inteidMI to facffliitiMe vaitiimis 
aefiwiitegp, inetinJimg the sale of gray marltett phammmceuldnalis; the mam puliation of 
thailiytttdebfed seeimirttaes; the solidtetiaon of franiihltetit afRUfetce and “work from 
heme" schemes; and the distoHniilbnn of mdliriimss pa^ltoads, such as rainsomwaatfe. 

Spam emails dimfllrijg the recipients to panttcdppfcte in al of these 1 sehenfgs haxe 
been directed! to Alaskan red^jjartts. 

16. For example, Keiiflhos generates maseanee volunmes of spamn emails 
dis&atHgg redffemfcs to weh sites adventisirngg the sale of branteH pharmaaesticialals. 

Based upon my trsdmhjg and expeoteanee, I knssw that many of ttegfe branctetl 
phanmaeotitalals nomndl^y reqoniioas pnesntppitions. Additwaafl^y, I km®&- that th© 
phasmaeetitMtels are offered at or bdk®®;- mairfeett rates, irdfcaihgg that tltey are lifcdty 
coumfeaffeit. 

17. Kelikos ala© disttnrifeitees higfln volumes of emaiils inteitbWd to maiMjp.iUi&te 

the vakte of thto^-trsateil secinmitees, imdludiiigg so-caffleti "pemmy stacks'.'” In titetee 
messages, tte redtipiaitt is led to befaAee that a sgsexiffee stack will soon ttmfe at a 
tmodn higkar valine. For exaurplie, one emaiil I rewfevosH stated that it was an 
“Advanced! Tradiijg Alert Nottiiias,” witk a “hot pick that will gain 100%...”' Th© ©mail 
urge® radpbnits to “[a]«piree [a specific thiiri|y-tradled s©s*rrtyjd on Mawdh 1 and 
remwee 100% profit! 1 ” Anotfcmr emaiil stated! “Don't yon crawe to puMfe&fe a doal at 
$0.07 and cash at $.21?! 20)00% gains sample. GSbAt the stock: ].$fee, [.©aaKstejii t- 
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Case No. 


ask is 0.2A,, it’s 200% than* the todaps bid.. On Monday- they will aamownsee big news 
and it sute spike to .21. Staatt buyimg [— ] qunidkl” Because these emaiJte taught 
gfedkg which genardljy expmranaee very low tradte volwmee, they are vutttia'sMjle to 
priiste mafflijpill&itijQn assstriiaafedd with small imoraasses in tradte volume, 


II, Spsw disteithuidd by Kelftnss is ate® a primary vector for idfflliiMe 
r<§£fiuiln&f»t scaffls comumaii|y cattail “work from home.” In these messciges, the 
Uiswitihgg recipient is dmsrted to an emaiil addhaass or website from whfeh they §an 
r&sstoee inme infonatalacin about parffimrnipgg esarawv or “privatise fenyaf' 1 ' gtaw&ass. II 
bwe prcwiawljy lnw®aigp<tdd these typas of sebansss and knew them to prtueiipiiJJv 
b# vdbbltes to furflhsr money laombtehigg. For examgite, in an esenawv sehewfe, 
lafctals ate insrtmthdd to nsBawee and transfer fumsfe in short tune pe»iofe, ©fton 
1=1 days- The insgraiigg fundte ar® usmtdl^y prraiDssiks of other crimiftail seh^n^s whfcfti 
are the® lamadtedd thotm^h the unwitting rerigoBsit'tfs bank aeeouutt. Due to the 
§h@ft tifffl£ pctfltftti fr<sm whiidbi money is raoaskedd and them resemtt, the vietiim often ii 
left resjpfiisstye for the full amount laonmofeedd tihmou^h thetir acconotte after the 
fifl&teald inMitnftjfin detente the fraudl and ceases furtitar payment. These 1 em^Jl 
schemas are ate® evidence ofllaitgpar wire fraudl sebaness, as they make fmittidtefet 
elaiffifts of profit and oppontumiiyy or sell framfliitent goods and dwgfs. 

19.- As destsffl&dd in greater detail bdkw-,,11 knnaw that KeHShos disflrrtbntfes 
spa® in at least tw<s> distract ways. FBI peisamretl ha«e obaeowKld Kehlhtts distslMte 
spam ftom infested computers diieart^fsKblifeos can com mam d infealteH eompntters to 
fuffifttenn, in egsaroc?. as mail serwerBs and disttmibiite spam to rerfpartt email 
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addtessess passed to tflne computer from the botnett. In these cases,H^llhhes uses 
e maiill addressees and nandonilv generated firstt and last name combiirrattcDOBs not 
obvM®Kl|y asH®niat€ld with the tame aecoumt from whikdh the spam was sent, Known 
as “spoofing;” the resonlltt is that the spam will be made to appear to come tern 
[usermmn®$^%naiihonnwivhen in reallity it was sent by an infected oampDiu ter with no® 
association to the nrffensenced emadJl acconatt. HibhhsacaxxraplpKshes this by mamudliy 
editing? the headeir infamafiitinn. The spoofing mates the spam munch more difficnDtt 
to detent and block,, while aferoamKceaiiligig the trees origins of the emaiil measles. 
Kelihos can als® send spam directly firaam maiill serwoers, such as these owned by 
EaitfHlirkk or l&l Maiill & Medina, by gaimrihgg unatehboiziedd access to them thrrnig^h 
the use of autilrankic emaiOl addnaaisees and passwords hatraoaateld by Kelfflms. In thcoKs? 
imsttamees, the spam is, in e&sance, sent from the victihriss emaiil addnasss thamgjh the 
mail serrx®r, but witihnnt the victim's kmsKKfel|ge or atedwriiatitinn. 

2. Kelllinsss Dhtnfiuttes Maliriiuus Payftwutls 
20. In addnttom to senafihgg spam emails with URL hypailitkks that cause 
the downteatLiigg ofimtilwiree, the Kelihos botnett can aha® com mam tl infatteld 
computers to downUmdd and execute maHmimee dhraaattjy. By commaudingg KeHkos 
victims to downlhadl and execrate maOwrare, Kefflcss can reteim near total eontirdl of 
the vidimus computer system by infatiiiigg them with paytadis that can indkdfe 
bamlfcihgg trajjams (maDwaare desiigrectl to steadl financial 1 cradteittaMje), and ramsimwaacee 
(malware that enorygetfes the contents of a computer and thetm seeks a ransom 
payment! in exchange for decayiptixnn). Based on ongsaiag FBI inweatjgifiitiD»s i 
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AO 106 (Rev. 04/10) Application for a Search Warrant 


United States District Court 

for the 

District of Alaska 


In the Matter of the Search of ^ 

(Briefly describe the proper n* to be searched \ 

or identify the person by name and address) j Case No. 3:18-mj-00324-DMS 

In re Application for a Warrant Under Rule 41 of the ) 

Federal Rules of Criminal Procedure to Disrupt the ) 

Kelihos Botnet ) 


APPLICATION FOR A SEARCH WARRANT 


I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under 
penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the 
property to be searched and give its location): 

See Attachment A, incorporated here by reference. 


located in the _ District of_ Alaska 

person or describe the property to be seized)'. 


there is now concealed (identify the 


See Attachment B, incorporated here by reference. 


The basis for the search under Fed. R. Crim. P. 
^ evidence of a crime; 


41 (c) is (check one or more): 


CJ contraband, fruits of crime, or other items illegally possessed; 

□ property designed for use, intended for use, or used in committing a crime; 

□ a person to be arrested or a person who is unlawfully restrained. 


The search is related to a violation of: 


Code Section 

18 USC §§ 1030, 1343, and 
2511. 


Offense Description 

Fraud and related activity in connection with computers, wire fraud, and illegal 
wiretapping. 


The application is based on these facts: 

See attached Affidavit in Support of Search Warrant. 


fif Continued on the attached sheet. 

□ Delayed notice of_days (give exact ending date if more than 30 days: 

under 18 U.S.C. § 3103a, the basis of which is set 


) is requested 


Sworn to before me and signed in my presence. 

Date: jj^oj If _ 

City and state: Anchorage, Alaska 



Ell iott Peterson, Special Agent? 

Printed name'and title * * *•../r 'V 


1 


Printed name and title k * v V/ r 1 

• o */ 

• / 

/ U 


/S/ DEBORAH M. SMITH 
CHIEF U.S. MAGISTRATE JUDGE 
, SIGNATURE REDACTED 


Judge's signature 


Hon. Deborah M. Smith, United States Magistrate Judge 
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IN THE UNITED STATES DISTRICT COURT 
FOR THE DISTRICT OF ALASKA 


IN RE APPLICATION FOR A 
WARRANT UNDER RULE 41 OF THE 
FEDERAL RULES OF CRIMINAL 
PROCEDURE TO DISRUPT THE 
KELIHOS BOTNET 


Case No. 3:18-mj-00324-DMS 


AFFIDAVIT IN SUPPORT OF AN 
APPLICATION UNDER RULE 41 FOR A SEARCH 

WARRANT 

I, Elliott Peterson, being first duly sworn, hereby depose and state as follows: 

INTRODUCTION AND AGENT BACKGROUND 

1. I am a Special Agent with the Federal Bureau of Investigation in 
Anchorage, Alaska. I currently investigate criminal and national security computer 
intrusions in the Anchorage Field Office as a member of the Counter Intelligence / 
Cyber Squad. I have investigated cyber and computer intrusion matters for over 
five years and I specialize in the investigation of complex botnets, including Peer to 
Peer botnets, as well as botnets facilitating account takeover fraud and Distributed 
Denial Of Service attacks (DDOS). 

2. I make this affidavit in support of an application for a warrant under 
Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt 
the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV, a 
criminal hacker. The operation, which is particularly described in Attachment A 
and Attachment B, involves the distribution of updated peer lists, job messages 
and/or IP filter lists, further described in Attachment B, to the TARGET 
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COMPUTERS currently infected with the Kelihos botnet malware in violation of 
Title 18, United States Code, Sections 1030,1343, and 2511, as described in 
Attachment A. This operation will also obtain the Internet Protocol addresses and 
associated routing information of those infected computers, and those addresses are 
evidence of crimes committed by LEVASHOV. A PRTT order has been issued for the 
purpose of attaining those IP addresses and associated routing information. This 
operation will not capture content from the TARGET COMPUTERS or modify them 
in any other capacity except limiting the TARGET COMPUTERS' ability to interact 
with the Kelihos botnet. This limitation is achieved through the distribution of peer 
lists and job messages, described below. 

3. Unless otherwise noted, the following information was obtained by 
your affiant, other special agents and officers of the Federal Bureau of Investigation 
(FBI), third-party witness interviews, and/or from other law enforcement officers 
who conducted additional investigation into the subject matter of this criminal 
enterprise, all of whom I believe to be truthful and reliable. 

TECHNICAL DEFINITIONS 

4. As used herein, the following terms have the following meanings: 

a. “Malware” is malicious software, usually loaded onto a computer 
without the knowledge of the computer’s owner or user. For 
example, computer viruses are malware. 

b. A “botnet” is a network of computers that cybercriminals have 

infected with malware that gives a cyber criminal access to each 
computer and allows a cyber criminal to control each computer, 
remotely. ’ 50 nT 
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c. An Internet Protocol (IP) address is the globally unique address 
of a computer or other device connected to a network, and is 
used to route Internet communications to and from the 
computer or other device. 

d. “Peer to peer” refers to a means of networking computers such 
that they communicate directly with each other, rather than 
through a centralized management point. 

PROBABLE CAUSE 

5. There is probable cause to believe that the TARGET COMPUTERS 
identified in Attachment A are infected by malicious software that causes them to 
collectively receive and obey commands from a common command and control 
infrastructure controlled by LEVASHOV, forming a botnet that has been named 
“Kelihos.” 

6. I have determined that Kelihos is a Peer to Peer botnet, whose 
principal functions are to (1) distribute high volumes of spam email to further 
criminal schemes; (2) install malicious payloads, such as ransomware; and (3) 
harvest user credentials from infected computers. Each of these schemes are 
conducted for the financial benefit of LEVASHOV and other cybercriminals. 

7. Based upon the investigation described below, I believe that Kelihos is 
operated and controlled by an individual identified as Peter Yuryevich LEVASHOV, 
a.k.a. “Petr LEVASHOV,” “Peter Severa,” “Petr Severa,” and “Sergey Astakhov.” I 
am aware that on or about April 7, 2017 LEVASHOV was arrested in Spain and 
remains detained in Spain. 1 On April 20, 2017 the District of Connecticut unsealed 

I am also aware that an indictment was filed in 2007 in the Eastern District of 
Michigan for conspiracy to commit electronic mail fraud, mail fraud, and wire fraud in 
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an indictment charging LEVASHOV in 3:17CR83 with offenses related to the 
activities described in this affidavit. I have also determined that the botnet has 
been used for the financial benefit of LEVASHOV and other cybercriminals. 

8. In February 2018, LEVASHOV entered US custody in New Haven, 
Connecticut. 

9. I have also determined that in addition to distributing spam email, the 
Kelihos botnet functions to harvest user credentials, and distribute malicious 
payloads, including ransomware, as well as facilitating other schemes meant to 
enrich LEVASHOV. These activities will be described more fully in subsequent 
paragraphs. 

10. Based on my investigation to date, I have observed that the number of 
computers infected with Kelihos at any one time can vary. At times, over 100,000 
computers have been simultaneously infected worldwide with Kelihos. When the 
initial warrant in this case was issued, there were between 25,000 and 100,000 
infected computers, approximately 5-10% of which were computers located in the 
United States. Based on my review of computers which are infected with the 


violation of 18 U.S.C. §§ 371, 1037(a)(2)-(a)(3), 1037(b)(2)(C), 1341, and 1343 and several 
substantive counts of violating 18 U.S.C. §§ 1037(a)(2), 1037(b)(2)(C), and Section 2. That 
indictment remains pending. I am also aware that a criminal complaint filed in the U.S. 
District Court for the District of Columbia, which in 2009 charged LEVASHOV in his true 
name with two substantive counts of violating 18 U.S.C. §§ 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 
1030(a)(5)(A)(i) and 1030(a)(5)(B)(V), as well as one count of conspiracy to commit these 
offenses in violation of 18 U.S.C. § 371. These charges resulted from LEVASHOV’S 
operating the Storm Botnet from January 2007 until September 22, 2008. That botnet, like 
that which is the subject of this prosecution, sent spam to facilitate pump and dump 
schemes and the purchase of grey market pharmaceuticals. Because the government 
unable to apprehend and detain LEVASHOV, it dismissed the complaint in 2014. 
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Kelihos malware and conversations with other FBI agents and computer security 
researchers who have investigated the code used to create the Kelihos botnet, I 
know that it can be difficult for computer users to detect Kelihos infections. Kelihos 
is designed to persist on a victim’s computer despite any overt actions by the victim 
to remove it. For example, the first time that Kelihos runs, it sets its property 
setting to “invisible” so that it cannot be seen or manipulated by the victim. Based 
on my investigation and the investigation of others, I have found evidence of 
computers infected with Kelihos throughout the United States, including the 
District of Alaska, District of Connecticut, Western District of Washington, Central 
District of California and the Southern District of New York, and the Northern 
District of California. 

A. OPERATION OF THE KELIHOS BOTNET 

11. As described above, Kelihos utilizes Peer to Peer (P2P) connectivity. 
Instead of utilizing a traditional Command and Control (C2) server to control all of 
the bots, control is distributed across the entire infection base. The P2P design 
prevents law enforcement from merely taking over the C2 server and gaining 
immediate control of the entire botnet. 

12. Kelihos infects computers and divides them into two groups: “router 
nodes” and “worker nodes.” Router nodes are so named based upon their ability to 
route communications directly to both backend servers as well as other infected 
peers. Router nodes are Kelihos infections that have publicly accessible IP 
addresses. Router nodes are important to Kelihos as they permit direct 



Page 5 of 41 


MAY 3 0 2018 


Case No. 3:18-mj-00324-DMS 


communication to the infected computer. Router nodes comprise approximately 
10% of the Kelihos botnet. 

13. In contrast, worker nodes comprise 90% of the Kelihos botnet, and 
utilize private IP addresses. Most internet enabled devices utilize private IP 
addresses, as they are separated from the Internet by one or more networking 
devices. For example, in many U.S. households, a Wi-Fi router is connected directly 
to a cable or DSL modem. This Wi-Fi router would then be assigned the 
household’s public IP address. Each device then connected to the Wi-Fi router 
would be assigned a private IP address. Worker nodes are harder to maintain for 
the botnet operator, as they are not directly accessible like a router node with a 
public IP address would be. 

14. To counteract the difficulty of contacting worker nodes with private IP 
addresses, Kelihos commands its worker nodes to check in regularly with the router 
nodes. That “check in” takes the form of exchanging peer lists and job messages. 

Peer lists maintain the IP addresses of other Kelihos infections, that is, an infected 
computer’s peers. This information informs each peer who else it can communicate 
with. Then, when a set amount of time has passed, the worker node will contact 
another router node to exchange data, including each other’s peer lists. In response, 
the worker node then compares its own peer list with the received peer list, and 
updates its own peer list with new IP addresses until it reaches a maximum 
number of 3,000. 

MAY 3 0 ^ 
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1. Overview Of Kelihos’s Spam Distribution 

15. Based upon my training and experience, I know that spam email 
messages distributed by botnets such as Kelihos are intended to facilitate various 
activities, including the sale of grey market pharmaceuticals; the manipulation of 
thinly-traded securities; the solicitation of fraudulent affiliate and “work from 
home schemes; and the distribution of malicious payloads, such as ransomware. 
Spam emails directing the recipients to participate in all of these schemes have 
been directed to Alaskan recipients. 

16. For example, Kelihos generates massive volumes of spam emails 
directing recipients to web sites advertising the sale of branded pharmaceuticals. 
Based upon my training and experience, I know that many of these branded 
pharmaceuticals normally require prescriptions. Additionally, I know that the 
pharmaceuticals are offered at or below market rates, indicating that they are likely 
counterfeit. 


17. Kelihos also distributes high volumes of emails intended to manipulate 
the value of thinly-traded securities, including so-called “penny stocks.” In these 
messages, the recipient is led to believe that a specific stock will soon trade at a 
much higher value. For example, one email I reviewed stated that it was an 
“Advanced Trading Alert Notice,” with a “hot pick that will gain 100%...” The email 
urges recipients to “[a]quire [a specific thinly-traded security] on March 1 and 
receive 100% profit.” Another email stated “Don’t you crave to purchase a deal at 
$0.07 and cash at $.21?! 200% gains simple. Get the stock: [...]. See, [. . .] current h 
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ask is 0.21, it’s 200% than the todays bid. On Monday they will announce big news 
and it sure spike to .21. Start buying [.. . ] quick.” Because these emails target 
stocks which generally experience very low trade volume, they are vulnerable to 
price manipulation associated with small increases in trade volume. 

18. Spam distributed by Kelihos is also a primary vector for affiliate 
recruitment scams commonly called “work from home.” In these messages, the 
unwitting recipient is directed to an email address or website from which they can 
receive more information about performing escrow or “private buyer” services. I 
have previously investigated these types of schemes and know them to principally 
be vehicles to further money laundering. For example, in an escrow scheme, 
individuals are instructed to receive and transfer funds in short time periods, often 
1-3 days. The incoming funds are usually proceeds of other criminal schemes which 
are then laundered through the unwitting recipient’s bank account. Due to the 
short time period from which money is received and then resent, the victim often is 
left responsible for the full amount laundered through their accounts after the 
financial institution detects the fraud and ceases further payment. These email 
schemes are also evidence of larger wire fraud schemes, as they make fraudulent 
claims of profit and opportunity or sell fraudulent goods and drugs. 

19. As described in greater detail below, I know that Kelihos distributes 
spam in at least two distinct ways. FBI personnel have observed Kelihos distribute 
spam from infected computers directly. Kelihos can command infected computers to 
function, in essence, as mail servers and distribute spam to recipient email 
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addresses passed to the computer from the botnet. In these cases, Kelihos uses 
email addresses and randomly generated first and last name combinations not 
obviously associated with the true account from which the spam was sent. Known 
as “spoofing,” the result is that the spam will be made to appear to come from 
[username]@gmail.com when in reality it was sent by an infected computer with no 
association to the referenced email account. Kelihos accomplishes this by manually 
editing the header information. The spoofing makes the spam much more difficult 
to detect and block, while also concealing the true origins of the email messages. 
Kelihos can also send spam directly from mail servers, such as those owned by 
Earthlink or l&l Mail & Media, by gaining unauthorized access to them through 
the use of authentic email addresses and passwords harvested by Kelihos. In those 
instances, the spam is, in essence, sent from the victim’s email address through the 
mail server, but without the victim’s knowledge or authorization. 

2. Kelihos Distributes Malicious Payloads 
20. In addition to sending spam emails with URL hyperlinks that cause 
the downloading of malware, the Kelihos botnet can also command infected 
computers to download and execute malware directly. By commanding Kelihos 
victims to download and execute malware, Kelihos can retain near total control of 
the victim’s computer system by infecting them with payloads that can include 
banking trojans (malware designed to steal financial credentials), and ransomware 
(malware that encrypts the contents of a computer and then seeks a ransom 


payment in exchange for decryption). Based on ongoing FBI investigations and : 
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experience, I am aware that LEVASHOV will receive payment from other 
cybercriminals in exchange for distributing malicious payloads to infected 
computers within his botnet. This allows LEVASHOV to monetize his botnet 
beyond the distribution of spam. 

3. Kelihos Harvests Credentials 

21. In addition to distributing spam email and malicious payloads, 
Kelihos malware also harvests user credentials from victim computers through a 
number of methods. First, Kelihos searches text-based files stored on victim 
computers for email addresses. Second, Kelihos searches locations on victim 
computers for files known to contain usernames and passwords, including files 
associated with Internet browsers Chrome, Firefox, and Internet Explorer. Any 
email addresses and passwords located in these searches are harvested by Kelihos 
and subsequently transmitted back to LEVASHOV. 

22. To capture additional user credentials, Kelihos installs a software 
program called WinPCAP on infected machines. WinPCAP is a powerful packet 
capture utility that intercepts, in real time, electronic communications traversing 
the victim computer’s network card. Usernames and passwords found within this 
network traffic are transmitted back to LEVASHOV. 


B. KELIHOS RESEARCH, TESTING AND EVIDENCE OF CRIMES 

23. Many techniques were utilized to analyze and study the Kelihos 
malware. One of the first steps was to gather appropriate samples of the malware. 


One feature of the Kelihos botnet circa 2015 is that the Kelihos malware could be 
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downloaded directly from backend servers. A specific type of backend servers were 
described by Kelihos administrators as “Golden Parachute Domains.” I believe that 


the naming convention relates to the role these servers play as redundant 


mechanisms of command and control. When a computer infected with Kelihos can 
no longer communicate with any other peer infections, it is programmed to reach 
out to domains (websites) that are hardcoded into its configuration. These domains, 


the “Golden Parachutes,” provide a peer list to the infected computer so that it can 


regain communication with other infected peers. For the purposes of this affidavit, 


there are at least three such domains presently relevant to the functioning of the 


Kelihos botnet, gorodkoff(.)com, goloduha(.)info and combach(.)com. 2 In addition to 
providing peer lists, research has shown that these Golden Parachute Domains 
were at times configured to distribute Kelihos malware. 

24. Kelihos, like many malware families, uses an affiliate/client system. 
At any given time there appears to be ten to twenty separate Kelihos “affiliates.” 
These affiliates are paid by LEVASHOV to infect computers with his Kelihos 
malware. The affiliates are paid according to the number of victims they infect and 
where those victims are located. I am aware of the affiliate model, because I 
previously downloaded LEVASHOVs pricing structure from a website known as 
“Smoney” that LEVASHOV maintained. A webpage labeled “loads01_rules.html” 
listed instructions for affiliates, as well as the payment rate per 1000 infections. 


While the actual web addresses do not include “(.),” I have added them here to avi 
accidental hyperlinking to these sites. 
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25. Based on my investigation to date, I have determined that Kelihos, like 
many botnet families, prioritizes the infection of U.S. victims. This can be seen in 
the higher rates paid for U.S. victims. Based on my training and experience, I 
believe U.S. infections are prized by LEVASHOV because many of his schemes are 
directed against an English speaking audience, and U.S. IP addresses tend to be 
trusted by many firewalls and spam detection systems. 

26. In September 2015,1 downloaded Kelihos malware directly from 
gorodkofft.)com. I downloaded the malware by querying the server according to the 
following format: gorodkoffUcom/affiliatelD.exe. I was able to determine the 
affiliate IDs because the Smoney website maintained a full listing of active 
affiliates. For example, one such affiliate was boxi002. By issuing a query for 
gorodkoffl.)com/boxi002.exe, I downloaded a Windows executable named 
boxi002.exe. Subsequent analysis of this executable determined that it was in fact 
the Kelihos malware. This analysis was based upon comparing characteristics of 
the downloaded malware to known characteristics of the Kelihos malware. In this 
case, the downloaded boxi002.exe file interacted with the Windows Registry in a 
manner identical to Kelihos. That is, key registry values were modified so that the 
executable would be loaded each time the system started up. This occurs without 
the consent of the legitimate user and is a persistence mechanism designed to 
ensure that Kelihos remains on the victim’s computer despite any overt actions by 
the victim to remove the malware. 
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27. My conclusions were similar to those of agents with the FBI’s New 
Haven, Connecticut Field Office who have also examined the Kelihos malware. The 
New Haven Field Office conducted additional testing and activated a sample of the 
Kelihos malware and observed the infected computer attempting to send high 
volumes of spam emails. Many of those emails supported a “pump and dump” 
scheme for a penny stock related to a known company (KC1). 

28. Through coordination with international law enforcement partners, I 
have monitored live traffic related to backend servers maintained by LEVASHOV in 
furtherance of the Kelihos scheme. In doing so, I observed commands issued from 
those servers to Kelihos infected computers. Many of those commands, or job 
messages, included commands to distribute emails relating to KC1. The emails 
suggested to the recipients that the stock would significantly increase in value, in 
the short term. 

29. The investigation by FBI’s New Haven Division also revealed the 
extent to which Kelihos harvests credentials from infected computers. Kelihos 
searches specific locations on computers for files known to contain usernames and 
passwords, including locations which store such data for several common internet 
browsers, including Chrome, Firefox and Internet Explorer. New Haven Division 
stored a fictitious email address and password in Internet Explorer on an infected 
FBI computer. Shortly after Kelihos was installed, this username and password 
was observed within Kelihos’s process memory, indicating that it had been 
identified and harvested. 
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30. Kelihos also searches for usernames and passwords for Windows 
programs that use File Transfer Protocol (“FTP”)- As its name suggests, FTP is a 
standard network protocol used for the transfer of computer files between 
computers. For example, pictures located on a computer could be backed up to a 
server in another location using FTP functionality. New Haven Division stored a 
FTP username and password combination on an infected FBI computer, and the 
username and password were observed in Kelihos process memory. 

31. Finally, the New Haven Division observed that Kelihos installed on an 
FBI computer a software program called WinPCAP, which is able to intercept and 
examine electronic communications traversing the computer’s network card in a 
Windows computer. They observed Kelihos commanding WinPCAP to intercept the 
contents of all incoming and outgoing network traffic on an infected computer. 

More specifically, Kelihos used this WinPCAP functionality to search for email 
usernames and passwords in the self-infections’ network traffic. 

C. EVIDENCE ESTABLISHING LEVASHOV’S CONTROL OF 
KELIHOS 


32. In cooperation with private sector partners, I previously identified two 
servers associated with the Kelihos botnet. Both were located outside the United 
States. In cooperation w 7 ith international law enforcement partners, I received real¬ 
time data from those servers which revealed multiple associations between the 
Kelihos malware, servers connected to Kelihos, and LEVASHOV. 

33. One of the servers, bearing the IP address 94.242.250.88, functioned^ 

a portion of the Kelihos backend. Additionally, it was utilized by LEVASHOV a 
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proxy, meaning that some portion of his Internet activities are directed through the 
server. As a result of this configuration, I have been able to observe backend 
panels, or websites, that provide status updates on the Kelihos botnet. Panels such 
as this are very commonly encountered in the investigation of botnets, as they 
facilitate the operator’s administration and troubleshooting of the botnet. 

34. In this case, the Kelihos panel is constructed as a website and includes 
information such as the status of its servers and the status of the Golden Parachute 


Domains. Gorodkoffl.)com, goloduha(.)info, combach(.)com and others, are 
specifically referenced, with color codes used to indicate their readiness status. 
Another portion of the webpage shows various backend servers, the spam messages 
they are being used to distribute, and data such as the speed at which the messages 
are being distributed. For example, as shown below, the email “lists” being utilized 
are “pharma_b+pharma+trade.” This is the same list, described below in the 
Jurisdiction section of this affidavit, which contained thousands of entries for 
Alaskan email addresses. 


Ip: 193.28.179.38 

Sat, 20 Feb 16 18:25:29 +0400 
List: 

../lists/pharma_b+pharma+trade 

Body: Perfect method to ha ... 
ldrugmarket.ru/ 

Subject: Do you wan ... his 

night? 

Counter: 712910562 
(1424874532) 

Speed: 79677 m/h 


Ip: 176.103.48.27 

Sat, 20 Feb 16 18:47:54 +0400 
List: 

pharma_b+pharma+trade 

Body: Giveto your babe nig ... 
ng.hxilgusk.ru/ 

Subject: Evoke your ... 
admiration 

Counter: 608715981 
(1424874532) 

Speed: 10323 m/h 
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35. Other portions of the Kelihos panel include antivirus and blacklisting 
reports. This indicates that the operator can actively monitor whether or not their 
various servers have been identified by antivirus or other blacklisting services. 

This is important for the operator, as blacklisting could reduce the reliability of 
their botnet. For example, the panel indicated that both of the servers referenced 
above appear to be tracked by at least one antivirus vendor. 

36. Additionally, the server appeared to contain copies of many of the 
spam email messages distributed by Kelihos. Subject lines of emails that appear to 
have been sent to email accounts (including many hosted by Alaskan ISP General 
Communication, Inc (GCI.net)) include, ‘"Very good way to reveal your intimate life,” 

“No amorous failure risk,” “Attack your woman harder,” and “Are you ready to 
please your female partner tonight?” These emails contained links to websites that 
appear to facilitate the purchase of gray market pharmaceuticals. 

37. Also appearing to have been sent to GCI.net email accounts were 
emails with the subject lines, “This Company looks ready for a major run this 
week!”, “Big Gainers Since My Alert!”, “It is about to wake up and ROAR!” and “Its 
trading levels could change in no time (MUST READ).” The content of all of these 
emails were similar as they are intended to persuade the recipient to purchase a 
specific U.S. listed stock. For example, one email’s content listed: 

This Stock is our New WILD Sub-Penny Pick! Get Ready for Multi-Bagger 

Gains! \ | 

Top 10 Reasons Why We Love This Pick! 

Company Name: KC1 

Traded as: KC1 

Long Term Target: $1.70 WAY 3 0 1 


Page 16 of 41 


Trade Date: February, 29th 
Closed at: 0.30 


Case No. 3:18-mj-00324-DMS 


38. These spam emails facilitate “pump and dump” stock schemes, as 
previously described in this affidavit. I have examined historical prices for several 
stocks for which Kelihos has conducted spam email campaigns and noted that such 
campaigns usually result in a temporary increase of the stock price of anywhere 
from 30 to 80 percent. 

39. In addition to the explicit Kelihos activity on the server, I observed 
that this server was utilized thousands of times to log into the mail.ru website tied 
to the email account pete777@mail.ru. Based on my training and experience, this 
indicates that the user of the Kelihos server was also utilizing the email 
pete777@mail.ru. The website 3038.org/listn.html associates this email address 
with Pete LEVASHOV, a websmith and programmer located in Russia, with a date 
of birth of 8/13/1980. The website 3038.org appears to be the website for a high 
school in St Petersburg, Russia, that focuses on mathematics and physics. 

40. The email address pete777@mail.ru is also associated with an Apple 
iCloud account in the name of Petr LEVASHOV. According to Apple’s records, 
LEVASHOV is a resident of the Russian Federation. A second email address is also 
associated with this iCloud account, levashov@knyazev-spb.ru. Apple subscriber 
information indicates that this account was registered with Apple using the IP 
address 83.243.67.25. Moreover, Apple’s records list the Apple Digital Signaling 
Identifier (DSID) 1972828024 with pete777@mail.ru’s account. An Apple DSID is a 

unique ID assigned to a user when registering with Apple’s iCloud service. 
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41. 83.243.67.25 is the same IP address utilized to register the Google 

account, peteknyazev777@gmail.com. The accounts peteknyazev777@gmail.com 
and Apple DSID 1972828024 share extensive overlap of IP addresses utilized to 
access these accounts, including 91.122.62.16. Additionally, access logs from Apple 


and Google indicate that these accounts share temporal overlap with IP addresses 


as well, meaning that the same IP addresses are utilized during similar time 
periods. Based upon my training and experience, common IP addresses, 
particularly during the same time period, suggest that the same individual is 
accessing both accounts. 

42. The IP address 91.122.62.16 was also used by LEVASHOV to negotiate 
the purchase of a digital certificate from the company GeoTrust. An email was sent 
from renew@geotrust.com to petr@hottaby4.ru on November 23, 2016. This email 
referenced an order for a “Rapid Wildcard” certificate. These records were 
subsequently attained by agents within FBI’s New Haven Division, and indicate 
that a customer named Peter LEVASHOV, of Saint Petersburg, Russia, initiated an 
order for the certificates utilizing the IP address 91.122.62.16. Moreover, the 
certificate order was then completed, minutes later, utilizing the IP address 
94.242.250.88. 94.242.250.88 is the same IP address utilized thousands of times to 
log into the aforementioned pete777@mail.ru email account. This evidence of other 
use of the same IP by LEVASHOV is further evidence that LEVASHOV is utilizing 


both the Kelihos server and Google and Apple accounts which point to him. 
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43. Furthermore, Foursquare, a social media application that provides 
recommendations on restaurants and shopping establishments to users, possessed 
records for an account in the name Petr LEVASHOV, registered with email address 
pete777@mail.ru. This account also displayed the same pattern of temporal overlap 
within the IP access logs, when compared to the previously mentioned Apple and 
Google accounts. Again, this indicates the account is likely used by LEVASHOV. 

44. One IP address appearing within LEVASHOV’S Foursquare account is 
85.17.31.90. This IP address also appears within LEVASHOV’S Apple DSID iCloud 
account 1972828024, and the Google account pr@hottaby4.ru. Google records from 
2016 indicate that pr@hottaby4.ru had been accessed by only two other IPs, one of 
which is the Kelihos server IP address 94.242.250.88. 

45. The server corresponding to IP address 94.242.250.88 also contained 
many references to LEVASHOV. For example, an email sent on February 26, 2016 
from no_reply@email.apple.com to petr@hottaby4.ru with the subject line, “Your 
app(iOS) status is In Review” is addressed to “Petr LEVASHOV” and contains a 
status update on an iOS application. There are many such emails sent from this 
Apple email account to petr@hottaby4.ru. 

46. Furthermore, analysis on data provided by Google revealed that on or 
about June 4, 2013, the following search terms, “kelihos” and “kelihos.f’ were 
attributed to the account peteknyazev777@gmail.com. Further analysis of the data 
provided by Google showed that the cellphone number associated to this Google 
account is LEVASHOV’s mobile number ending in 0594 as indicated in Apple 
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records. Based upon my training and experience I know that it is common for 
individuals operating botnets to conduct searches for their malware. 

47. It is also common for criminals engaged in cybercrime to utilize 
nicknames, especially on the criminal forums on which they exchange data on 
criminal techniques and offer products and services for sale. The use of nicknames 
allows them to protect their true identity, while still allowing for the benefits of 
name and product recognition. While there are a large number of Internet forums 
devoted to the exchange of criminal services and techniques, many criminals will 
use the same nickname on different forums. This is likely due to perceptions of 
anonymity, as well as the reliance upon reputations tied to nicknames. In these 
communities, actors are known principally by either their given nickname, or an 
email, jabber, or ICQ handle. Jabber and ICQ are “chat” applications. These 
reputations become important both in the exchange of data, and access to 
marketplaces in which products and services are sold. LEVASHOV utilized 
multiple nicknames, but the most common was “Severa” or “Peter Severa.” 

48. Upon examination of many criminal forum accounts in the name 
“Severa,” I have noted that in the majority, the ICQ number 104967 has been 
utilized since at least 2010. ICQ is a popular Internet instant message service in 
which users are identified by unique numerical values, known as ICQ numbers. 
Based upon my training and experience, I know that online monikers, such as ICQ 
numbers, are rarely changed or transferred by online criminals. Therefore, I 
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conclude that the combination of an identical ICQ number and nickname are 
indicative of the same individual accessing and utilizing these accounts. 

49. Severa has used this ICQ number to advertise his botnets. For 

instance, in May 2015, the FBI received the following information pertaining to a 

vendor on the Russian criminal site Korovka.cc. The vendor was advertising 

“webmailer email spam” capability and the information he provided read as follows: 

Username: "Severa" 

Registration: 12/2/2011 
Jabber contact: jabber@honese.com 
ICQ: 104967 
Service: Email spam 

Details: The service was offered since 1999 and delivered 
spam to a recipients inbox. Every spam launched used several 
thousand clean IP addresses and accounts. Unique algorithms 
and technologies were constantly improved. Seller has US and 
Europe email databases for spam, and fresh databases received 
daily. Prices per million spam delivered were $200 USD legal 
advertisement, adult, mortgage, leads, pills, replies, etc... $300 
USD job spam (drops, mules, employment), and $500 USD 
scam/phishing attacks. 

50. This information conveyed that Severa’s spamming was superior to 
that of his competition and would be less likely to be detected (“clean IP addresses 
and accounts” and “unique algorithms”) and that he had been doing this for a long 
time (“since 1999”). 

51. The nickname Severa, and communication accounts such as 
jabber@honese.com, appeared frequently on the servers wiretapped by international 
law enforcement partners. Jabber@honese.com is an XMPP account. XMPP is a 
type of instant messaging service widely utilized on the internet. Because XMPP 
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servers can be individually hosted and managed, rather than hosted and managed 
by a company such as Google, they are often trusted by criminal actors. 

52. Similarly, on or about January 14, 2017, Severa posted the following 
advertisement 3 an online forum called “Club2CRD”: 

Hello. 


I am offering my spamming service via electronic mail to 
everybody who is interested. I have been serving you since the distant 
year 1999, and during these years there has not been a single day that 
I keep still, by constantly improving quality of spamming. Now at your 
service there is the only one in the world unique technology of spamming 
via electronic mail, which provides maximum possible probability of 
delivering your message to the final recipient. 

Today I conduct all spamming via webmail. Each spamming is 
being done from dozens of thousands of clean IP addresses and accounts. 
To generate a message there are used unique algorithms and 
technologies which I have been constantly developing and improving. 
Every spamming is being automatically monitored for quality, with 
regular automatic spamming and running test messages. 

I conduct spamming on my databases of USA [PH], Europe, or 
other countries you are interested in. I am constantly collecting and 
testing new addresses from different sources. Databases are updated 
daily and I have enough of collected volume, in order to provide 
individual databases of addresses for each new spamming. 

The prices for one spamming (for a million of delivered messages) 

are: 

$200.00 - legal advertising, adult, mortgage [PH], leads, pills 
[PH], replication [PH], and etc. 

$300.00 - drops, also known as employment spam 

$500.00 — scam, phishing 


I am interested in large clients, and I actively incentive that with 
large discounts. The larger is the order volume, the bigger is a discount. 


The advertisement, which was written in Russian, was later translated into English 
by a FBI linguist. The references in the advertisement to “[PH]” are those of the linguist and;*, j 
reflect that a word has been translated phonetically. 
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Discounts start just at two million, and they may exceed 50%. Verify 
prices for any amount more than one million. 

For contact use Jabber (XMPP): jabber@honese.com 

An alternative communication channel is ICQ 104967. 

I always welcome new and old clients, as well as feedback! 

Good luck and keep it up. 

Petr Severa 

53. LEVASHOV continues to use the nickname Severa in operation of the 
Kelihos botnet. On or about March 20, 2017, an individual known to law 
enforcement contacted LEVASHOV, who is currently believed to be traveling 
outside of Russia, via a chat application to express interest in purchasing one or 
more spam deliveries. Upon an initial inquiry looking for the “services of Peter 
Severa” and a request to confirm pricing and services offered, LEVASHOV 
responded on March 21, 2017: “Hi, I am Peter Severa. I were away, what do you 
want to send? job offe[r]s, dating, phishing, malware? or what?” 

54. In subsequent exchanges between Severa and the individual on March 
20, 2017, Severa stated that he accepts bitcoins. “Job offers”—which I know based 
on my training and experience refers to money mule solicitations 4 —were priced at 
"300 usd per 1 million emails, 450 per 2 mil[lion].” However, Severa also indicated 
price differentials for different kinds of spam deliveries: “phishing, scam etc 500 usd 
per 1 mil... 750 per 2.” Severa also confirmed that the individual could purchase 
spam to be sent only to a specific country (including the United States). Severa 


A “mule” or “money mule” is an individual who is used to transport or launder stolen \ 
money in furtherance of criminal activity and its related organizations. These individua jk / L.- - 
can be either wittingly or unwittingly participating in the fraud. 
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stated: “i need just payment and letter to start,” and instructed that, “[A]fter 
payment put it to archive with password and upload to sendspace.com.” According 
to sendspace.corn’s website, “Sendspace is the best way to send large files, too big 
for email attachments, to friends, family and businesses, anywhere in the world.” 
Severa also indicated that he has “10-15 orders daily.” 

55. On or about March 21, 2017, the individual paid Severa in bitcoin to 
purchase a spam campaign to be directed at the United States. The spam email 
submitted to Severa included a link to a website advertising “work from home” job 
opportunities. Severa responded that the “Mailing takes 3-4 hours, but response can 
come during 2-4 days, people don’t read emails instantly.” He again reiterated that 
he has “10-15 orders daily.” 

56. The individual then asked Severa, “I had client recontact me about 
ransomware. you can do?” Within approximately twenty minutes, Severa responded 
via chat: 


I do mailings for installs, it costs 500 usd per 1 million emails, 
750 usd per 2 mil, lk per 3 mil. I can’t send attached file inbox on 
volume, nobody can now, so send letter just with link to file or landing. 
I need just payment and letter to start. 


you need fresh text which never sent before, and you should 
randomize it by synonyms, by my template. You can use synonym.com 
service to find variants. You can do html message, but images only by 
links, not attachments. 


Template: 

{Spam | Blackmailing | Phishing Mailing} is {good | very good | the 
best}! Always {send | use | order | ask for}{it | this}{. |! |!!!} 

Samples(don’t write these, it’s generating automatically): 

1) Blackmailing is good! Always order it! 
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2) Phishing Mailing is the best! Always use it!!! 

3) Spam is the best! Always send this. 


57. Based on my training and experience and the exchange between 
Severa and this individual, I believe that Severa’s reference to “mailings for 
installs” refers to the distribution of malware, including ransomware. 

58. The individual then asked Severa if he “send[s] out stocks or 


pharma? does pricing change.” Severa immediately responded: 


SEVERA: 


Individual: 

SEVERA: 


Individual: 


legal offers? 

stocks what do you mean? 

pharma is 200 usd per 1 million emails 

penny stocks..buy/sell 

it’s PD 

pump and dump 
i have 25 mil traders list 
my price usually is 5% of trade 
with 5-10k deposit 

fair 


SEVERA: 5% by yahoo numbers 


Individual: ok. good to know in advance 


SEVERA: (PrevClose+LastPrice) / 2 * Volume * 5% 

i can move it good, just find the stock 
and we need deposit 

i’ll subtract each day numbers, when it 0 i 
stop 

Individual: i’ve know some people in the market who 

suggest stocks from time to time 


SEVERA: ask them 

we need the stock, if they can release news on 
it - it’s cool too 
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people buy on news 

5-10k usd deposit, I accept btc or wire, or wmz 


// 


59. Based on my training and experience, I believe that “btc” is a common 
abbreviation for bitcoin and “wmz” is a common abbreviation for WebMoney. 
WebMoney is a very popular alternative online payment system. WebMoney allows 
its users to store funds in different “purses,” where each purse can be maintained as 
a separate currency, such as U.S. dollars, or Russian Federation rubles. I have 
examined WebMoney account records tied to LEVASHOV. Those records revealed 
the use of IP address 91.122.62.16, the same IP utilized to access LEVASHOV’S 
iCloud account in his real name. This same IP address was also found to have 
accessed a WebMoney identifier (i.e. account) ending in 4986. Of note, registered 
under this account is the WebMoney purse ending in 1018, which is the purse 
supplied by LEVASHOV, under his Severa alias, when requesting payment for his 
spamming services with the individual referenced above. 

60. Additionally, I identified two instances when 91.122.62.16 accessed the 
WebMoney account ending in 4986, expressed by WebMoney in terms of dates/times 
when access would “begin” and “end.” In the first instance, I observed that 
LEVASHOV received an iTunes update from Apple, via 91.122.62.16, approximately 
11 hours prior to when the WebMoney account was accessed from that same IP 
address. In the second instance, the same IP address accessed the WebMoney 
account between May 17 and 18, 2016, and I observed one iTunes update a little 
over an hour prior to that period and another update approximately 14 hours after 
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that access period ended. Based on my training and experience, the overlapping use 
of the IP address for an iTunes account in LEVASHOV’S name and a criminally 
used WebMoney account by the alias Peter Severa indicates that Peter Severa is 
LEVASHOV. 


JURISDICTION 

61. This Court has jurisdiction to issue the requested warrant under Rule 
41(b)(6)(B) because the above facts establish there is probable cause to believe that 
the items to be searched are protected computers that have been damaged without 
authorization and are located in five or more judicial districts and that there is 
probable cause to believe that activities related to the crime being investigated 
occurred within this judicial district. 5 

62. It is possible to determine the IP addresses of computers infected by 
Kelihos by passively participating in the Kelihos botnet. Because it is a Peer to 
Peer botnet, infected computers exchange data on other known Kelihos infections. 
In this way the botnet remains connected internally. 

63. Examination of peer lists exchanged between peers in the botnet has 
revealed IP addresses that geolocated to Alaska, Connecticut, the Western District 
of Washington, Central District of California and the Southern District of New 
York, the Northern District of California, and numerous other judicial districts. 
Geolocation is a term that denotes the examination of where an IP address is likely 


Fed. R. Crim. P. 41 was amended on December 1, 2016. Rule 41(b)(6)(B) is a new 
venue provision which went into effect on that date. 



Page 27 of 41 


MAY 3 0 2018 




Case No. 3:18-mj-00324-DMS 

to be located. For example, IP addresses assigned to an ISP based in Alaska likely 
belong to subscribers also based in Alaska. After identifying one such victim 
located in Alaska, in April 2016,1 received consent to examine her computer for 
evidence of a Kelihos infection. I found that her computer’s configuration settings 
had been changed, and that an executable file was set to open any time her 
computer started up. Examination of this executable file revealed that it was 
Kelihos. 


64. The presence of Kelihos exposed this victim to significant potential for 
harm, in the form of stolen credentials, personal information, and victimization of 
other malicious payloads such as ransomware. Moreover, the victim’s computer was 
also subject to be used for the distribution of high volumes of spam to others 
without her knowledge. While an Alaskan-based Kelihos infected computer would 
send spam emails to victims worldwide, my investigation revealed that these emails 
were frequently directed to other Alaskan recipients. 

65. Furthermore, Kelihos targeted Alaskans with a high volume of 
malicious spam. I have studied a list of email addresses used by the Kelihos 
botnet, one of which was titled “pharma_b+pharma+trade,” and contained almost 
100 email addresses whose domains include kl2.ak.us, meaning that these 
addresses are utilized by employees of school districts within Alaska. The same list 
has nearly 5,000 entries of emails utilizing the GCI.net domain. This domain, 
administered by General Communication Inc. (GCI), is one of the most popular 
Internet service providers within Alaska. I have also examined a March 28, 2017 


m3 
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Kelihos job message that directed the distribution of a spam message to 10,000 
email accounts, three of which utilized email addresses with the domain 
uas.alaska.edu, which corresponds to the University of Alaska Southeast. Another 
included email account utilized the ci.juneau.ak.us domain, which corresponds to 
the city of Juneau. The subject line of the spam email was, “Do you w r ant to impress 
your female partner tonight?” and the email included a link to a website which 
purported to be the “Canadian Health and Care Mall.” The website offered for sale 
a large number of prescription medications, including drugs such as Viagra and 
Cialis, pain relief medications such as Celebrex and Toradol, antibiotics such as 
Amoxicillin and Zithromax, and Antidepressants such as Prozac and Wellbutrin. 

The website itself contained fraudulent endorsements from the Federal Drug 
Administration, American Pharmacists Association and Verisign. 

66. On April 5, 2017, a search warrant was issued in Case No. 3:17-mj- 
00135 DMS for a period of 14 days, a Pen Register and Trap and Trace Order was 
issued in Case No. 3:17-mj-00136 DMS for a period of 60 days, and a Temporary 
Restraining Order was issued in Case No. 3:17-cv-00074 TMB. On April 6, 2017, 
the FBI, together with individuals acting under the direction or control of the FBI, 
began conducting the online operation and steps authorized by those Orders. On 
April 12, 2017, a Preliminary Injunction was issued in Case No. 3:17-cv-00074 TMB 
at docket 21. To date, the disruption has proceeded as planned. Based on data 
from the sinkhole servers and industry researchers, it appears that the vast \ i 
majority of Kelihos-infected computers are no longer communicating with the<®§pL3 
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Defendant’s infrastructure and are reporting exclusively to the sinkhole servers 
controlled by the government. The data further shows that as time has passed, a 


number of previously unobserved computers have communicated with the sinkhole 


servers. These new connections are likely the result of computers connecting to the 
internet after a period of dormancy. 

67. As explained in the Applications for a Search Warrant in Case Nos. 
3:17-mj-00135 DMS, 3:17-mj-00184 DMS, 3:17-mj-00202 DMS, 3:17-mj-00232, 3:17- 


mj-00285, 3:17-mj-00301, 3:17-mj-00308, 3:17-mj-00327, 3:17-mj-00352, 3:17-mj- 
00368, 3:17-mj-00404-DMS, 3:17-mj-00425-DMS; 3:17-mj-442-DMS; 3:17-mj-00471- 
DMS; 3:17-mj-00489-DMS; 3:17-mj-00499-DMS; 3:17-mj-00524-DMS, 3:17-mj- 


00540-DMS, 3:18-mj-00006, 3:18-mj-00026-DMS, 3:18-mj-00077-DMS, 3:18-mj- 
00097-DMS, 3:18-mj-00164-DMS, 3:18-mj-193-DMS, 3:18-mj-00220-DMS, 3:18-mj- 
00244-DMS, 3:18-mj-00264-DMS, 3:18-mj-00302-DMS, and this Application, the 
Kelihos malware furthers criminal activity, which the government continues to 
disrupt utilizing sinkhole servers. The chart below summarizes data from the 
sinkhole servers, and shows that tens of thousands of computers are infected with 
Kelihos, and that Kelihos-infected computers can be found within five or more 
districts within the United States. The location of U.S.-based infections is derived 
by geo-locating the IP addresses of the infected computers. The list of five districts 
is not representative of all districts with Kelihos infections, but rather, provided 
merely to indicate that at least five districts continue to face ongoing harm from 


Kelihos. 
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68. Of note, for the date range of 3/7/2018 - 3/20/2018, as depicted below, 

the logging component of the sinkhole failed. This did not affect the integrity of the 
sinkhole, but it meant that the sinkhole was not logging the daily interaction with 
infected devices. This was discovered late into the two week period when I began 
work to prepare the next affidavit. I was able to get the logging feature reenabled on 
the final day of the reporting period. I believe that the number of infected 
computers observed during this period, 2,078, is an underrepresentation of the total 
number of infections during this period. The total number should have been 
approximately 6,000, based upon the preceding and following reporting period 
which were 6,261, and 5,839, respectively. 


Date Range 

Infected Computers 

Districts 

4/6/2017 - 4/14/2017 

52,755 

Alaska, Connecticut, Western District of 

Washington, Central District of California, 

Southern District of New York 

4/15/2017 - 5/1/2017 

35,909 

Alaska, Connecticut, Western District of 

Washington, Central District of California, 

Southern District of New York 

5/2/2017 - 5/14/2017 

32,328 

Connecticut, Western District of 

Washington, Central District of California, 

Northern District of California, Southern 

District of New York 

\ \ 

5/15/2017-5/30/2017 

28,238 

Connecticut, Western District ofvl 

_ 
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Washington, Central District of California, 

Northern District of California, Southern 

District of New York 

5/31/2017-6/14/2017 

23,329 

Connecticut, Western District of 

Washington, Central District of California, 

Northern District of California, Southern 

District of New York 

6/15/2017-6/26/2017 

18,982 

Central District of California, Northern 

District of California, Southern District of 

California, Southern District of New York, 

Western District of Washington 

6/27/2017-7/11/2017 

17.395 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

7/12/2017-7/25/2017 

16,102 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

7/26/2017-8/8/2017 

14,210 

Central District of California, Northern, 

District of California, District of Colorado, 
Southern District of New York, Dis^W^of 
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Utah 

8/9/2017-8/22/2017 

13,085 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

8/23/2017-9/5/2017 

11,326 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

9/7/2017-9/19/2017 

11,260 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

9/20/2017-10/3/2017 

10,385 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

10/4/2017-10/16/2017 

9,943 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah \ \ 

10/17/2017- 

9,665 

Central District of California, NS^nWn, 

,»o a r ' o 
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10/30/2017 


District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

10/31/2017- 

11/13/2017 

9,090 

Central District of California, Northern, 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

11/14/2017- 

11/28/2017 

7,694 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

11/29/2017- 

12/12/2017 

7,634 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

12/13/2017 - 

12/26/2017 

7,538 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

12/27/2017 - 

1/09/2018 

7,020 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 
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Utah 

1/10/2018 - 

1/23/2018 

6,998 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

1/24/2018 - 

2/6/2018 

6,993 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

2/7/2018 - 

2/20/2018 

6,468 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

2/21/2018 - 3/6/2018 

6,261 

Central District of California, Northern 

District of California, District of Colorado, 

Southern District of New York, District of 

Utah 

3/7/2018 - 3/20/2018 

2,078 

District of Arizona, Central District of 

California, Northern District of California, 

District of Colorado, District of Nevada, 

3/21/2018-4/4/2018 

5,839 

Central District of California, Northern 

\ fi 

District of California, District 'oflpolorado, 
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District of Nevada, Southern District of 

New York 

4/5/2018 - 4/17/2018 

5,585 

Central District of California, Northern 

District of California, District of Colorado, 

District of Nevada, Southern District of 

New York 

4/18/2018 - 

4/30/2018 

5,286 

Central District of California, Northern 

District of California, District of Colorado, 

District of Nevada, Southern District of 

New York 

5/1/2018 - 5/15/2018 

5,047 

Central District of California, Northern 

District of California, District of Colorado, 

District of Nevada, Southern District of 

New York 

5/16/2018 - 

5/29/2018 

4,855 

Central District of California, Northern 

District of California, District of Nevada, 

Southern District of New York, Western 

District of Washington 


69. Efforts to remediate the current Kelihos infections are ongoing. The 
government has issued a press release advising the public how to safely remove \ | 
Kelihos from infected computers, and - together with private sector partners 

m s « a* 
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operating at its direction — has engaged with Computer Emergency Response 
Teams (CERTs) and ISPs around the world to provide, in real time, the IP 
addresses of Kelihos victims. In the year since the commencement of the Kelihos 
takedown, the total number of devices infected with Kelihos has dropped by nearly 
90 percent. This significant reduction in the total number of Kelihos infections is a 
strong indication that the government’s ongoing mitigation efforts are succeeding. 

70. This application marks the final renewal of the Kelihos sinkhole. The 
FBI has begun notification procedures, which consist of determining which victims 
are associated with a given ISP, and providing the ISPs a list of victim IPs as well 
as date/time stamps for which the given victim IP interacted with the Kelihos 
sinkhole. This information is provided to facilitate the ISPs ability to notify their 
customers. ISPs will also be provided with a letter explaining the purpose of the 
sinkhole and information on the location of affidavits associated with the sinkhole 
operation. Within the next 15 day period, the FBI will cease receiving any data 
related to the Kelihos sinkhole and operation of the sinkhole and final mitigation 
measures will be controlled by private and public sector partners. 

TIME AND MANNER OF EXECUTION OF THE SEARCH 

71. To effectively combat the P2P structure of the Kelihos botnet, the FBI 
with assistance of private partners will participate in the exchange of peer lists and 
job messages with other infected computers. 6 The FBI’s communications, however, 


The law is unsettled as to whether the operation authorized by the proposed 
warrant constitutes a search or seizure. However, in an abundance of caution, the United 
States is seeking a warrant. 
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will not contain any commands, nor will they contain IP addresses of any of the 
infected computers. Instead, the FBI replies will contain the IP and routing 
information for the FBI's "sinkhole" server. As this new routing information 
permeates the botnet, the Kelihos infected computers will cease any current 
malicious activity and learn to only communicate with the sinkhole. The effect of 
these actions will be to free individual infections from exchanging information with 
the Kelihos botnet and with LEVASHOV. This will stop Kelihos’s most immediate 
harm, the harvesting of personal data and credentials, and the transmittal of that 
data to servers under LEVASHOV's control. Another portion of the Kelihos job 
messages is a list, known as the IP filter list. This list functions as a type of 
blacklist, preventing communication with those IPs contained within the filter list. 
If necessary, the FBI also seeks authorization to send a filter list to TARGET 
COMPUTERS to block Kelihos infected computers from continuing to communicate 


with router nodes. 

72. The sinkhole server will be a dead end destination that does not 
capture content from the infected computers. The sinkhole server, however, will 
record the unique IP address and associated routing information of the infected 
machine so that the FBI can alert the proper Internet Service Providers of the 
existence of infected machines on their network and to monitor the effectiveness of 
the disruption effort. By notifying Internet Service Providers, the unwitting victims 
can be alerted as to their status of victims and be assisted in the removal of Kelihos 
from their computers. The IP filter list was utilized to blacklist Kelihos supernodes 
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for the purpose of propagating the initial takeover. The IP filter list is no longer 
utilized. 

73. Additionally, because the Kelihos malware directs infected machines to 
request peer lists from the Golden Parachute Domains when they are unable to 
reach any peers, the disruption effort will not be effective unless the domains are 
also redirected to the sinkhole. In order to prevent LEVASHOV from using the 
Golden Parachute Domains to recapture peers, it is essential that these domains be 
kept out of LEVASHOV’S hands. The Temporary Restraining Order sought as part 
of this action denies LEVASHOV these domains through an order to the Domain 
Registries responsible for the U.S.-based top level domains requiring them to 
redirect connection attempts to the sinkhole server. 

74. Rule 41(e)(2) of the Federal Rules of Criminal Procedure requires that 
the warrant command the law enforcement officer (a) “to execute the warrant 
within a specified time no longer than 14 days” and (b) to “execute the warrant 
during the daytime unless the judge for good cause expressly authorizes execution 
at another time .. . .” The government seeks permission to transmit the updated 
peer list at any time of day or night for 30 days after the date the warrant is 
authorized. There is good cause to allow such a method of execution as the time of 
deployment causes no additional intrusiveness or inconvenience to anyone. More 
specifically, the government has no control of the timing or when the infected 
computers will access the peer list. In addition, the government seeks to transmit 
the peer list and job messages for 30 days, because based on my training and 
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